Snort mailing list archives
Unified2 extra data
From: Peter Bates <peter.bates () ucl ac uk>
Date: Thu, 3 Jan 2013 13:58:35 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello there and a Happy New Year to all... I'm a bit late in reading Joel's blog post: http://vrt-blog.snort.org/2012/12/exploit-kit-java-user-agent-downloading.html In particular, I'm interested in the last paragraph: "Now, even if you don't have a Sourcefire device you can still dump out the "extra data" fields from your unified2 logs and see exactly which url's prompted these downloads like I show above." Reading http://manual.snort.org/node255.html it implies config log_uri config log_hostname are useful options to add to snort.conf. Do these extend the u2 format, or just fill in existing fields? Is this extra information then understood by the likes of Barnyard2 and added to a database, or only viewable with u2spewfoo? Thanks. - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBAgAGBQJQ5Y6LAAoJELhVoVpEMS6RpR4H/j7/BOEJGK4RvrU+7FFLHr9D SHERKXusu/XbrvwId3onOQ+XsEZZS7S5aGeAK8ZDytzNhI69Pz6HN2ppOUDnClOT l+D3Qrq5/W/gY54K9GbbN6yjdw9/CwWiOLneMatuTC+ar8Bj2l7z6yzoqLJLZT2f wn58criKRbRgCJLB1cPevjVIUqC2OBdOJtfsdIXbLnjPwOuGWwGNYjNRMjozSSfm NJQ/XYdVlYliDyCTyDnYzvc1/Q80T42LBIntvC80SYbKE3JFstGtWKHIN8wwm0KH mcYr9OY5LDU25gl/T/sdE16DFy8P7r5Py1TIwVC0m7dbOusXuaqABQemd+WVJoQ= =hLiq -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unified2 extra data Peter Bates (Jan 03)
- Re: Unified2 extra data beenph (Jan 03)